Skip directly to content

Feed aggregator

SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 19:33
Description

Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types.

The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher report by getting the administrator's browser to make a request to a specially-crafted URL while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Log Watcher 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Log Watcher module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Log Watcher project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:57
Description

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form.

The module doesn't sufficiently sanitize the alternate field label in content types settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to add or edit fields on an entity.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Field Display Label 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Field Display Label module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Field Display Label project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:54
Description

This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon.

The report administration links are not properly protected from CSRF. A malicious user could cause an administrator to delete settings for hidden form elements or status messages by getting the administrator's browser to make a request to a specially-crafted URL while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Jammer 6.x-1.x versions prior to 6.x-1.8.
  • Jammer 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Jammer module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Jammer module for Drupal 6.x, upgrade to Jammer 6.x-1.8
  • If you use the Jammer module for Drupal 7.x, upgrade to Jammer 7.x-1.4

Also see the Jammer project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:34
Description

Todo Filter module provides an input filter to display check-boxes that can be used as a task list.

Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user's browser to make a request to a specially-crafted URL while the user was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Todo Filter 6.x-1.x versions prior to 6.x-1.1.
  • Todo Filter 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Todo Filter module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Todo Filter module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Todo Filter project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:25
Description

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field.

The module doesn't sufficiently sanitize node titles in the result list if the node search plugin is enabled.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to add or edit any type of node and that the linkit node search plugin is enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Linkit 7.x-2.x versions prior to 7.x-2.7.
  • Linkit 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Linkit module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 7.x and Linkit 7.x-2.x, upgrade to Linkit 7.x-2.7
  • If you use the Linkit module for Drupal 7.x and Linkit 7.x-3.x, upgrade to Linkit 7.x-3.3

Also see the Linkit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:20
Description

The Batch Jobs project is a scalable way to execute a list of tasks.

Links that take actions on batch jobs are not protected from Cross Site Request Forgery (CSRF). A malicious individual could cause a user that has permission to access a particular batch job (or an administrator) to dele the record of that batch job or possibly execute a task by getting the user's browser to make a request to a specially-crafted URL while the user is logged in.

This vulnerability only exists when batch job data exists - i.e. during the short period it is running or if it is retained (not deleted after completion of the batch job).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Batch Jobs 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Batch Jobs module,
there is nothing you need to do.

Solution

Make sure that all batch jobs are deleted or install the latest version:

Also see the Batch Jobs project page.

Reported by Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:15
Description

This module provides integration with the Cloudwords third-party service.

The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting (XSS) vulnerability.

Also, a menu callback was not protected against CSRF.

The XSS vulnerability is mitigated by the fact that an attacker must have a user with permissions to create nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Cloudwords for Multilingual Drupal 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Cloudwords for Multilingual Drupal module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Cloudwords for Multilingual Drupal project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:14
Description

The Htaccess module allows the creation and deployment of .htaccess files based on custom settings.

Some administration links were not properly protected from Cross Site Request Forgery (CSRF). A malicious user could cause an administrator to deploy or delete .htaccess files by getting the administrator's browser to request specially crafted URLS while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All Htaccess 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed htaccess module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the htaccess project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by
  • Jibus the module maintainer
Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-005 - WikiWiki - SQL injection

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 17:02
Description

WikiWiki module gives you one place to create, share and find wiki pages in your site.

The module did not sanitize user input inside a database query thereby leading to a SQL Injection vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • WikiWiki 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed WikiWiki module, there is nothing you need to do.

Solution

Install the latest version:

Also see the WikiWiki project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-004 - Context - Open Redirect

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 16:30
Description

Context allows you to manage contextual conditions and reactions for different portions of your site.

Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby leading to an Open Redirect vulnerability.

This vulnerability is mitigated by the fact that the victim must have the permission "administer contexts" and that Context UI module must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Context 7.x-3.x versions prior to 7.x-3.6

Drupal core is not affected. If you do not use the contributed Context module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Context project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-128 - Organic Groups Menu - Access bypass

Drupal Contrib Security Announcements - Wed, 12/17/2014 - 19:57
Description

This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc.

The module doesn't sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer og menu".

This handles the same issue as SA-CONTRIB-2014-125, but due to a mistake made in tagging the release, the fix did not get included.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.6
  • Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.4

Organic Groups Menu (OG Menu) 7.x-3.0 and later versions are not affected.

Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.6
  • If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.4
  • If you use the OG Menu module for Drupal 7.x and the OG module 7.x-2.x, no action is needed.

Also see the OG Menu project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/17/2014 - 18:57
Description

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system.

The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with the permission to create or edit a class node.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • School Administration 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 12/17/2014 - 18:09
Description

This distribution enables you to create an intranet.

Several of the sub modules included do not prevent CSRF on several menu callbacks.

Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete nodes.

Also, (alpha) module OG Subgroups contained a vulnerability that allowed access to child groups even if membership inheritance was disabled.

The vulnerabilities are mitigated by needing the sub modules enabled -- Open Atrium Sitemap, Open Atrium Discussion, and OpenA trium Admin Role and OA Teams, modules bundled with of Open Atrium Core.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Open Atrium 7.x-2.x versions prior to 7.x-2.26

Drupal core is not affected. If you do not use the contributed Open Atrium module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium project page.

Reported by Fixed by
  • Hunter Fox of the Drupal Security Team & an Open Atrium maintainer
Coordinated by
  • Hunter Fox of the Drupal Security Team & an Open Atrium maintainer
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 20:08
Description

This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc.

The module doesn't sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer og menu".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.5.
  • Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.3.
  • Organic Groups Menu (OG Menu) 7.x-3.x versions prior to 7.x-3.0

Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.5
  • If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.3
  • If you use the OG Menu module for Drupal 7.x, and the OG module 7.x-2.x upgrade to OG Menu 7.x-3.0

Also see the OG Menu project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 20:05
Description

This module enables users to have a block displaying the result of the last poll as a chart.

The module doesn't sufficiently sanitize poll node titles when displaying the block.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and the poll chart block must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • poll_chart 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Poll Chart Block module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Poll Chart Block project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-123 - Postal Code - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 18:38
Description

The Postal Code module enables you to implement postal code validation for several countries.

The module doesn't sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with a permission that allows adding or editing fields to entity types such as "administer taxonomy terms" or "administer content types".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Postal Code 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Postal Code module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Postal Code project page.

Reported by
  • Matt Vance (provisional member of the Drupal Security Team)
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-122 - MoIP - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 18:28
Description

This module enables you to use Moip (a Brazilian payment method) with Drupal Commerce.

The module doesn't sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting (xss) attacks.

This vulnerability is mitigated by the fact that only sites running the dblog module are affected (this module is enabled by default).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Moip 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed MoIP module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Moip module for Drupal 7.x, upgrade to Moip 7.x-1.4

Also see the MoIP project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-121 - Godwin's Law - Cross-Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 18:20
Description

This module enables you to execute arbitrary Javascript by adding the script to the title of a node.

The module doesn't sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog message syntax.

This vulnerability is mitigated by the fact that an attacker must have a role allowing them to create nodes or edit the title of an existing node. It is further mitigated in that the script is only executed by admins when viewing a Watchdog notice when using dblog module (syslog users are not affected).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Godwin's Law 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Godwin's Law module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Godwin's Law project page.

Reported by Fixed by
  • tobby the module maintainer
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-120 - Piwik Web Analytics - Information disclosure

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 15:21
Description

This module enables you to integrate Drupal with Piwik Web Analytics.

The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on.

This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Piwik Web Analytics 7.x-2.6. Neither earlier nor later versions are affected.

Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module,
there is nothing you need to do.

Solution

Install the latest version:

Affected sites are urged to generate a new hash salt and store it in settings.php.

Methods to generate a new hash salt
  • With drush:
    drush php-eval 'echo(drupal_random_key()) . "\n";'
  • With openssl:
    openssl rand -base64 32
How to replace the hash salt
  1. Open your settings.php file (e.g., sites/default/settings.php
  2. Locate the variable $drupal_hash_salt:
    <?php
    /**
     * Salt for one-time login links and cancel links, form tokens, etc.
     * [...]
     */
    $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
    ?>
  3. Replace the value and safe the file
  4. Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing drush cache-clear all
Effects caused by replacing the hash salt
  • Passwort reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
  • Existing image style urls will stop working. A cache flush is necessary such that all <img> tags are updated.

If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.

Also see the Piwik Web Analytics project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-119 - Google Analytics - Information disclosure

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 15:09
Description

This module enables you to integrate Drupal with Google Analytics.

The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on.

This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Google Analytics 7.x-2.0. Neither earlier nor later versions are affected.

Drupal core is not affected. If you do not use the contributed Google Analytics module,
there is nothing you need to do.

Solution

Install the latest version:

Affected sites are urged to generate a new hash salt and store it in settings.php.

Methods to generate a new hash salt
  • With drush:
    drush php-eval 'echo(drupal_random_key()) . "\n";'
  • With openssl:
    openssl rand -base64 32
How to replace the hash salt
  1. Open your settings.php file (e.g., sites/default/settings.php
  2. Locate the variable $drupal_hash_salt:
    <?php
    /**
     * Salt for one-time login links and cancel links, form tokens, etc.
     * [...]
     */
    $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
    ?>
  3. Replace the value and safe the file
  4. Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing drush cache-clear all
Effects caused by replacing the hash salt
  • Password reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
  • Existing image style urls will stop working. A cache flush is necessary such that all <img> tags are updated.

If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.

Also see the Google Analytics project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages